| _create_time |
Timestamp of resource creation |
EpochMsTimestamp |
Readonly
Sortable |
| _create_user |
ID of the user who created this resource |
string |
Readonly |
| _last_modified_time |
Timestamp of last modification |
EpochMsTimestamp |
Readonly
Sortable |
| _last_modified_user |
ID of the user who last modified this resource |
string |
Readonly |
| _links |
References related to this resource
The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink |
Readonly |
| _protection |
Indicates protection status of this resource
Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
|
string |
Readonly |
| _revision |
Generation of this resource config
The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int |
|
| _schema |
Schema for this resource |
string |
Readonly |
| _self |
Link to this resource |
SelfResourceLink |
Readonly |
| _system_owned |
Indicates system owned resource |
boolean |
Readonly |
| action |
Action
The action to be applied to all the services
The JUMP_TO_APPLICATION action is only supported for rules created in the
Environment category. Once a match is hit then the rule processing
will jump to the rules present in the Application category, skipping
all further rules in the Environment category. If no rules match in
the Application category then the default application rule will be hit.
This is applicable only for DFW.
|
string |
Enum: ALLOW, DROP, REJECT, JUMP_TO_APPLICATION |
| children |
subtree for this type within policy tree
subtree for this type within policy tree containing nested elements.
|
array of ChildPolicyConfigResource
Children are not allowed for this type |
|
| description |
Description of this resource |
string |
Maximum length: 1024
Sortable |
| destination_groups |
Destination group paths
We need paths as duplicate names may exist for groups under different
domains. Along with paths we support IP Address of type IPv4 and IPv6.
IP Address can be in one of the format(CIDR, IP Address, Range of IP Address).
In order to specify all groups, use the constant "ANY". This
is case insensitive. If "ANY" is used, it should be the ONLY element
in the group array. Error will be thrown if ANY is used in conjunction
with other values.
|
array of string |
Maximum items: 128 |
| destinations_excluded |
Negation of destination groups
If set to true, the rule gets applied on all the groups that are
NOT part of the destination groups. If false, the rule applies to the
destination groups
|
boolean |
Default: "False" |
| direction |
Direction
Define direction of traffic.
|
string |
Enum: IN, OUT, IN_OUT
Default: "IN_OUT" |
| disabled |
Flag to disable the rule
Flag to disable the rule. Default is enabled. |
boolean |
Default: "False" |
| display_name |
Identifier to use when displaying entity in logs or GUI
Defaults to ID if not set |
string |
Maximum length: 255
Sortable |
| id |
Unique identifier of this resource |
string |
Sortable |
| ip_protocol |
IPv4 vs IPv6 packet type
Type of IP packet that should be matched while enforcing the rule.
The value is set to IPV4_IPV6 for Layer3 rule if not specified.
For Layer2/Ether rule the value must be null.
|
string |
Enum: IPV4, IPV6, IPV4_IPV6 |
| is_default |
Default rule flag
A flag to indicate whether rule is a default rule. |
boolean |
Readonly |
| logged |
Enable logging flag
Flag to enable packet logging. Default is disabled. |
boolean |
Default: "False" |
| marked_for_delete |
Indicates whether the intent object is marked for deletion
Intent objects are not directly deleted from the system when a delete
is invoked on them. They are marked for deletion and only when all the
realized entities for that intent object gets deleted, the intent object
is deleted. Objects that are marked for deletion are not returned in
GET call. One can use the search API to get these objects.
|
boolean |
Readonly
Default: "False" |
| notes |
Text for additional notes on changes
Text for additional notes on changes. |
string |
Maximum length: 2048 |
| overridden |
Indicates whether this object is the overridden intent object
Global intent objects cannot be modified by the user.
However, certain global intent objects can be overridden locally by use
of this property. In such cases, the overridden local values take
precedence over the globally defined values for the properties.
|
boolean |
Readonly
Default: "False" |
| parent_path |
Path of its parent
Path of its parent |
string |
Readonly |
| path |
Absolute path of this object
Absolute path of this object |
string |
Readonly |
| profiles |
Layer 7 service profiles or TLS action profile
Holds the list of layer 7 service profile paths. These profiles accept
attributes and sub-attributes of various network services
(e.g. L4 AppId, encryption algorithm, domain name, etc) as key value
pairs. Instead of Layer 7 service profiles you can use a L7 access profile.
One of either Layer 7 service profiles or L7 Access Profile can be used in firewall rule.
In case of L7 access profile only one is allowed.
|
array of string |
Maximum items: 128 |
| realization_id |
A unique identifier assigned by the system for realizing intent
This is a UUID generated by the system for realizing the entity object.
In most cases this should be same as 'unique_id' of the entity. However,
in some cases this can be different because of entities have migrated thier
unique identifier to NSX Policy intent objects later in the timeline and did
not use unique_id for realization. Realization id is helpful for users to
debug data path to correlate the configuration with corresponding intent.
|
string |
Readonly |
| relative_path |
Relative path of this object
Path relative from its parent |
string |
Readonly |
| resource_type |
Must be set to the value Rule |
string |
|
| rule_id |
Unique rule ID
This is a unique 4 byte positive number that is assigned by the system.
This rule id is passed all the way down to the data path. The first 1GB
(1000 to 2^30) will be shared by GM and LM with zebra style striped
number space. For E.g 1000 to (1Million -1) by LM, (1M - 2M-1) by GM
and so on.
|
integer |
Readonly |
| scope |
The list of policy paths where the rule is applied
LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied
on multiple LRs/LRPs.
|
array of string |
Maximum items: 128 |
| sequence_number |
Sequence number of the this Rule
This field is used to resolve conflicts between multiple
Rules under Security or Gateway Policy for a Domain
If no sequence number is specified in the payload, a value of 0 is
assigned by default. If there are multiple rules with the same
sequence number then their order is not deterministic. If a specific
order of rules is desired, then one has to specify unique sequence
numbers or use the POST request on the rule entity with
a query parameter action=revise to let the framework assign a
sequence number
|
int |
Minimum: 0 |
| service_entries |
Raw services
In order to specify raw services this can be used,
along with services which contains path to services.
This can be empty or null.
|
array of ServiceEntry
(Abstract type: pass one of the following concrete types)
ALGTypeServiceEntry
EtherTypeServiceEntry
ICMPTypeServiceEntry
IGMPTypeServiceEntry
IPProtocolServiceEntry
L4PortSetServiceEntry
NestedServiceServiceEntry |
Maximum items: 128 |
| services |
Names of services
In order to specify all services, use the constant "ANY".
This is case insensitive. If "ANY" is used, it should
be the ONLY element in the services array. Error will be thrown
if ANY is used in conjunction with other values.
|
array of string |
Maximum items: 128 |
| source_groups |
Source group paths
We need paths as duplicate names may exist for groups under different
domains. Along with paths we support IP Address of type IPv4 and IPv6.
IP Address can be in one of the format(CIDR, IP Address, Range of IP Address).
In order to specify all groups, use the constant "ANY". This
is case insensitive. If "ANY" is used, it should be the ONLY element
in the group array. Error will be thrown if ANY is used in conjunction
with other values.
|
array of string |
Maximum items: 128 |
| sources_excluded |
Negation of source groups
If set to true, the rule gets applied on all the groups that are
NOT part of the source groups. If false, the rule applies to the
source groups
|
boolean |
Default: "False" |
| tag |
Tag applied on the rule
User level field which will be printed in CLI and packet logs.
Even though there is no limitation on length of a tag, internally
tag will get truncated after 32 characters.
|
string |
|
| tags |
Opaque identifiers meaningful to the API user |
array of Tag |
Maximum items: 30 |
| unique_id |
A unique identifier assigned by the system
This is a UUID generated by the GM/LM to uniquely identify
entites in a federated environment. For entities that are
stretched across multiple sites, the same ID will be used
on all the stretched sites.
|
string |
Readonly |